[Labs-l] Per-project sudo, managed via labsconsole
Ryan Lane
rlane32 at gmail.com
Tue Apr 24 01:06:19 UTC 2012
Blog post detailing the implementation:
http://ryandlane.com/blog/2012/04/24/per-project-sudo-policies-using-sudo-ldap-and-puppet/
- Ryan
On Mon, Apr 23, 2012 at 3:06 PM, Ryan Lane <rlane32 at gmail.com> wrote:
> I've recently added support for managing sudo policies in LDAP in a
> per-project manner via labsconsole. In the sidebar, there's a "Manage
> sudo policies" link. If you are a sysadmin in a project, you can
> modify the sudo policies for that project. A sudo policy, in this
> context, lets you define:
>
> 1. Sudo users: the users a policy applies to
> 2. Sudo hosts: the instances a policy applies to
> 3. Sudo commands: the commands the specified users are allowed to run
> on the specified hosts
> 4. Sudo options: options to modify sudo's behavior
>
> When projects are created, they are also created with a default policy:
>
> 1. Sudo users: ALL
> 2. Sudo hosts: ALL
> 3. Sudo commands: ALL
> 4. Sudo options: (none)
>
> All currently existing projects have had this policy added, except for
> bastion and testlabs (to match the previous behavior).
>
> This change is being applied across all instances right now, and will
> be in effect for all instances that are currently running puppet
> properly. I'll follow up with a blog post on how this is implemented.
>
> - Ryan
More information about the Labs-l
mailing list